NetScaler 12 OTP fails

[Jens Ostkamp]

Hey :)

 

I have recently set up the OTP feature within a customers environment. I followed this guide by Carl Stalhood:

http://www.carlstalhood.com/netscaler-gateway-12-native-one-time-passwords-otp/

 

So, the initial Setup worked pretty well, we have used a fresh test user and everything went fine. 

 

Users can log in through their manageotp -> set up their devices -> test OTP -> log in with the otp.

 

Now, when we tried it with a regular user, the OTP verification fails. It would basically look like this: User can log in through manageotp. User can add their device (QR Code shown), as soon as the user tries to verify/test the OTP, NetScaler throws an error. The device then is automatically deleted again (when trying to login into manageotp again). 

I verified, that NetScaler is able to write the Seed into AD Attribute, retrieves the Seed but then somehow it just breaks down. 

 

So I started to check other possibilites and recognized that the usual User of my client is a member of ~100 AD Groups. After doing some testing i could verify, as soon as your user is in more than 36 groups, the failing behaviour is shown. Everything to 36 works fine. Whenever you add a 37rd group, OTP Verification fails. It doesnt matter what group it is, it doesnt matter what user it is. We tested it with a fresh user and added him to one group after another, we tested it with a duplicate of a regular user and removed one group after another. The breaking point seems the 36/37 groups. Anyone ever encountered similar thigns? I know that there are issues with many AD Groups and NetScaler somehow getting a timeout if one user is in too many groups, but from what i have researched so far, the limitations shouldnt be like 36 groups. 

 

OTP is used for MFA with LDAP for NetScaler Gateway to StoreFront

 

Thank you very much in advance

[Preetha Sampath1709156282]

Hi, I have not come across such an issue.

However, since you have already isolated the problem, please raise a support ticket to have this validated.

[Jens Ostkamp]

Meanwhile we have the exact same issue within a different environment at a different client. We will open a support ticket for this

[Jens Ostkamp]

I have the official statement of the support technician, that this is a known bug/issue which is being worked upon. There is a possible solution to this which I was unable to test yet: removing the "Group Attributes" field within the LDAP Actions. However, this is not possible as NetScaler will automatically re-fill the Group Attribute to memberOf, regardless of the change you make to this field (probably another bug). So you basically will have to enter some dummy group attribute to get rid of the MemberOf attribute. If someone has the same issue currently and is able to test this, please let me know as i am currently not able to do this kind of test. 

But basically the problem persists: it is a known bug and it's being worked upon, so there is probably no way at the moment, to work around this, especially if you need the Group Attribute "memberOf" for further configuration/authorization requirements.

[Sander van den Berg1709158642]

I have the same problem as JOstkamp, is there a fix or workarround? I am using Netscaler 13